alpine 3.6
access weakness #198

1

Weakness Breakdown


Definition:

An access weakness occurs when software does not properly implement permissions that could have unintended consequences if exploited by malicious actors. An example of this weakness is when a default username and password are set by the developer but do not get changed by the system administrator.

Warning code(s):

Ensure that umask is given most restrictive possible setting.

File Name:

rsyslog/src/rsyslog-8.26.0/runtime/rsconf.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 access weakness.

 	int iMainMsgQDeqSlowdown;	/* dequeue slowdown (simple rate limiting) */
	int64 iMainMsgQueMaxDiskSpace;	/* max disk space allocated 0 ==> unlimited */
	int64 iMainMsgQueDeqBatchSize;	/* dequeue batch size */
	int bMainMsgQSaveOnShutdown;	/* save queue on shutdown (when DA enabled)? */
	int iMainMsgQueueDeqtWinFromHr;	/* hour begin of time frame when queue is to be dequeued */
	int iMainMsgQueueDeqtWinToHr;	/* hour begin of time frame when queue is to be dequeued */
};

/* globals are data items that are really global, and can be set only
 * once (at least in theory, because the legacy system permits them to 
 * be re-set as often as the user likes).
 */
struct globals_s {
	int bDebugPrintTemplateList;
	int bDebugPrintModuleList;
	int bDebugPrintCfSysLineHandlerList;
	int bLogStatusMsgs;	/* log rsyslog start/stop/HUP messages? */
	int bErrMsgToStderr;	/* print error messages to stderr
				  (in addition to everything else)? */
	int bAbortOnUncleanConfig; /* abort run (rather than starting with partial
				      config) if there was any issue in conf */
	int uidDropPriv;	/* user-id to which priveleges should be dropped to */
	int gidDropPriv;	/* group-id to which priveleges should be dropped to */
	int gidDropPrivKeepSupplemental; /* keep supplemental groups when dropping? */
	int umask;		/* umask to use */
	uchar *pszConfDAGFile;	/* name of config DAG file, non-NULL means generate one */

	// TODO are the following ones defaults?
	int bReduceRepeatMsgs; /* reduce repeated message - 0 - no, 1 - yes */

	//TODO: other representation for main queue? Or just load it differently?
	queuecnf_t mainQ;	/* main queue parameters */
};

/* (global) defaults are global in the sense that they are accessible
 * to all code, but they can change value and other objects (like
 * actions) actually copy the value a global had at the time the action
 * was defined. In that sense, a global default is just that, a default,
 * wich can (and will) be changed in the course of config file
 * processing. Once the config file has been processed, defaults
 * can be dropped. The current code does not do this for simplicity.
 * That is not a problem, because the defaults do not take up much memory.
 * At a later stage, we may think about dropping them. -- rgerhards, 2011-04-19
 */
struct defaults_s {
};


/* list of modules loaded in this configuration (config specific module list) */
struct cfgmodules_etry_s { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.